Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.

2012-04-05, 05:17

betona

Setting the DNS is a little hassle for an experience user and very unlikely for the novice. I've been using a free utility for a couple years called DNS Jumper - I believe it may be the only such tool out there and it works like a charm. It basically makes it drop-down easy to set your DNS to wherever you want, and even tests the speed of one you have selected or all of them to show you which one's faster.

And as you pointed out, some like Comodo block some of the bad guys. Granted, this is at the PC level and not at your router, but its testing would be useful there. Most people use whatever their ISP provides, never knowing they can get a little speed boost as well as a little added safety in some cases.

2012-04-05, 06:06

allendick

HOSTS File Interception of Malicious Sites

I have used OpenDNS in the past, but found that, on occasion and although I has set no restrictions, it suddenly decided I could not watch YouTube or access some site or another due to my 'policy', then later reverted to working -- as far as I could tell -- properly. I had not set restrictions.

" Does Google Public DNS offer the ability to block or filter out unwanted sites?No. Google Public DNS is purely a DNS resolution and caching server; it does not perform any blocking or filtering of any kind. We believe that such functionality is best performed by the client. If you are interested in enabling such functionality, you should consider installing a client-side application or browser add-on for this purpose.

I run the scan periodically, but don't worry to much about some of the cookies it turns up. It has on occasion found more undesirable things on machines for me, though. I generally use it as part of my clean-up of friends' machines, along with (indispensable) Malwarebytes.

My understanding is that this free application (I found it is worth a donation) maintains a list of bad IPs that that it injects into the HOSTS file on the user's computer and silently and unobtrusively redirects those IPs to 127.0.0.0 It seems completely unobtrusive, but needs regular manual updating and immunization. I tried the new beta and found it unintuitive and slow, but the tried-and-true 1.62 version has served me well on many machines. It has other protections which I can't claim to really understand, but which seem to be reasonably lightweight, and, of course, there is the scan.

I also note that Steve Gibson has been promising a GRC Net Filter for the last several years (see http://www.grc.com/nf/netfilter.htm ). He seems to have gone completely off line for some time, does anybody know if he is OK :o: and if he intends to continue the Net Filter? I hope so because I started using his freeware programmes with the original ASPI_ME back in the day and I find his products amazing.

2012-04-05, 08:54

NinerSevenTango

DNS tracking and filtering is ideal for government/commercial information harvesting and control, some versions of it are already in place in jurisdictions where information access is restricted.

In corporate networks, set up your own web proxy, but not for the purpose of catching malware. (Smoothwall is free.) No DNS system can keep one of your trusted sites from getting hacked.

The best way to protect against these things so far is Firefox with NoScript, and a behavior-limiting software firewall (Private Firewall, free, has picked up where KPF left off). Backed up by AVG or the like. This way, a user has to allow the malware to run with two or three different explicit 'allow' actions. Works best of anything I've ever tried, it takes a determined user to infect a machine. For the corporate dummy users, hide the desktop and menu links to IE but leave it installed for updates, and don't give them the password to an admin account on the machine.

Bottom line: DNS filtering can only give a false sense of security, in my humble opinion.

2012-04-05, 10:11

minnetonka

Here comes big show of ignorance

I too, use Spybot Search Destroy Immunize, NoScript, Avast paid, SpywareBlaster paid, AdBlock Plus, Better Privacy. Have been trying to figure out whether to get w/ VPN service and then read this.
Confused if this is a parallel protection or something quite different? Do one or both? Great article, just that now I'm left confused what's best for an all-in-one solution for both desktop and wi-fi laptop I might use at Starbucks, for example.

2012-04-05, 10:28

GreggBuck

It looks like OpenDNS Premium is still free. It has a limit of how many sites you can manually block.

2012-04-05, 11:16

ibe98765

I use L3 DNS servers w/o blocking. The services that do proactive blocking sometimes block harmless things that I want to check out. For instance, Comodo blocks ALL parked pages on the premise that no one wants to see ad filled pages. But in this case, I DID want to see what the guy was doing. So I dumped their secure DNS because they do not offer a real-time option to override their blocking.

2012-04-05, 11:19

FixMeister

Just read the article and noticed that you are using a non-routable address in the paragraph for policy 1:

So how do these DNS-filtering services you speak of (I won't say "recommend", but really, that's what it amounts to) make their money? Do they track activity and sell that info to advertisers? Do they inject ads into one's web surfing in some way? Do they rely on upselling into their paid services? What's in it for them? I looked at two of their sites and didn't see anything that answered these relatively straightforward questions. Any reasonable user should ask about such things prior to making use of an apparently "free" service on today's Interporn.

It's very odd that there's *no* mention whatsoever of this topic in your article.

2012-04-05, 11:27

FixMeister

Steve Gibson is alive!

He (Steve Gibson) is alive and well. You can watch his video webcasts, called "SecurityNow", every Wednesday @ live.twit.tv or download the recordings from http://www.grc.com/securitynow.htm

2012-04-05, 11:29

OneDave

Thanks for your article. I always wondered how this works. I have a related question -- How does one keep peer-to-peer traffic off of the local network? My ISP won't block it. I don't have control of the computers that connect by Wi-Fi, but I do control the router and could install hardware if needed.
Any comments would be appreciated!
Dave

2012-04-05, 12:45

SusanBradley

There's a typo in number 1 - should be 198 not 192. Apologies.

For this level, set your DNS entries to 192.153.192.40 and 198.153.194.40.

Should be 198.153.192.40

2012-04-05, 17:35

RandySea

Comcast may block legitimate email from foreign sites w/out notice

I have friends in various foreign countries, including France, England, and Australia. Without warning, Comcast has blocked incoming email from legitimate providers in each of these countries. Is this what Ms. Bradley means by: "Along with DNS, some ISPs (such as Comcast) include Web filtering — also called content filtering — for additional security?"

When Comcast blocks the incoming mail, sometimes the sender gets a bounce message from Comcast. Equally often, they have no way to know that Comcast has blocked the email. Nor do I. This happened with some important email from my bank in France, for example.

Each time it happened and I found out, I called Comcast's security division. They would check, discover that the particular domain had a block on it, and then release the block. This might last for a while, or the block might reappear a few days later. If this is web filtering, Comcast's version is not worth the trouble it causes.

After dealing with this for a couple of years, I found the solution. I use gmail for all my foreign correspondents. I really hate doing this, but there is nothing else I can do until I change providers.

2012-04-05, 17:38

- bill

Hmmm. I've been using OpenDNS at home for a while now and it seems to work well, but your comment about the change in business-version policy prompted me to think again.

2.5 years ago the OpenDNS president wrote to his business users, when introducing new business versions, "the free version you use and love today, what we’re calling OpenDNS Basic, is not going away. Ever." Now, that same president appears to be channeling Ron Ziegler (Richard Nixon's press secretary) with his announcement that "that statement is no longer operative" (though, of course, he didn't put it in those words, even when directly challenged on the blog which you cited).

I'll continue using free OpenDNS for now but will also keep an eye out for alternatives just in case they decide to renege on their word for home as well as business users. If you don't need anything more in your own business than the 'home' version I'd encourage you to use it if you can get away with it, given that you were unambiguously told that you could do so forever a while back.